Hackmii News - Modchips + homebrew - free + illegal = ArgonChannel

Hackmii News - Modchips + homebrew - free + illegal = ArgonChannel

January 10th, 2009, 12:07 Posted By: wraggster

News from Marcan:

The Argon modchip guys have been trumping up this new cool thing they call the Argon Channel. At first details were sketchy, but as time passed what it was started to become obvious: some homebrew launching or installing “solution”, locked to a modchip.

Recently, the Argon guys showed up on IRC and had an interesting conversation with me, where they tried to get me to help them get the channel to work on System Menu 3.4 by convincing me of the wonderful world of modchip software. The conversation was somewhere along the lines of this, excluding the broken English: “By bundling it with our modchip we make homebrew more popular”. “But it’s locked to your modchip, how will that make it more popular?” “Yes, that makes it even more popular because it’s exclusive and people will want it.”

The response, obviously, was no.

Now the channel has showed up and gasp, it’s compatible with 3.4. Wait, did they find an exploit?

Of course they didn’t.

By watching the video you’ll see that it consists of a two-stage process. This should start ringing alarm bells: why on earth would they have to install two things to install the channel? You’ll also notice that before installing the second half, they do some sort of serial number verification. This seems to be their way of locking it to the chip.

Download their package. First alarm bell. They’re bundling the Twilight Hack, which they’re not authorized to do. Hmm.

Let’s look inside the first DOL file - which turns out to be the one labeled part2. They’re backwards. Shows how much time they spent preparing this package. This file looks suspiciously like a Waninkoko product - same banner and console style. Let’s look inside.

0004e980 00 00 00 20 49 73 00 00 00 00 0a 00 00 00 00 00 |... Is..........|
0004e990 00 00 02 a4 00 00 02 2c 00 18 8c 00 00 00 00 40 |.......,.......@|
0004e9a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0004e9b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0004e9c0 00 01 00 00 b3 ad b3 22 6b 3c 3d ff 1b 4b 40 77 |......."k<=..K@w|
That looks like a WAD header. Interestingly, `strings’ didn’t show any readable four-letter Title ID among the Root-CA strings from the certs, TMD, and ticket. Let’s run it through a WAD extraction tool that I have, which prints out information:

Wii Wad:
Header 0x20 Type 'Is' Certs 0xa00 Tik 0x2a4 TMD 0x22c Data 0x188c00 @ 0xf40 Footer 0x40
ETicket:
Title ID: '\x00\x00\x00\x01\x00\x00\x00\x10'
Title key IV: 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 00
Title key (encrypted): 52 6b 1a 2a d0 db 6a 80 c2 95 25 63 80 98 f8 82
Common key index: 0
Title key (decrypted): 34 9e 8a c5 ed 3c e1 51 72 f2 b9 3e 1b cb 06 3b
ETicket signed by Root-CA00000001-XS00000003 using RSA-2048: ec f8... [OK]
TMD:
Versions: 0, CA CRL 0, Signer CRL 0, System 0-0
Title ID: 00000001-00000010 ('\x00\x00\x00\x01'-'\x00\x00\x00\x10')
Title Type: 1
Group ID: '\x00\x01'
Access Rights: 0x00000000
Title Version: 0x101
Boot Index: 1
Contents:
ID Index Type Size Hash
00000000 0 0x1 0x40 ca 2e 8c 59 e9 7e e9 fe...
00000001 1 0x1 0x188b81 65 3e 5e 0f 1d ea 72 f2...
TMD signed by Root-CA00000001-CP00000004 using RSA-2048: 8b 1a... [OK]
Certificates:
- CA00000001 (RSA-2048)
Certificate signed by Root using RSA-4096: 6f 47... [OK]
- CP00000004 (RSA-2048)
Certificate signed by Root-CA00000001 using RSA-2048: 8d 4f... [OK]
- XS00000003 (RSA-2048)
Certificate signed by Root-CA00000001 using RSA-2048: d7 0a... [OK]
Title ID 00000001-00000010 is IOS16. So this is how they get it to work on 3.4. And this is also why there’s a two-stage process. They’re bundling a private, repair center only, leaked IOS from nintendo.

Ladies and gentlemen, epic fail.

There’s another WAD in the DOL. I’ll spare you the boring WAD infodumps and just say that it’s some version of cIOS. So their first stage “installer” just installs IOS16, then uses that to install cIOS. A waninkoko-worthy product indeed. I seem to recall him saying he’d never use IOS16, some time ago in the EOL forums. How quaint.

00000000 66 69 72 6d 77 61 72 65 2e 36 34 2e 30 38 30 38 |firmware.64.0808|
00000010 32 39 31 36 30 30 00 00 00 00 00 00 00 00 00 00 |291600..........|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 01 02 00 00 |................|
00000030 77 61 6e 69 6e 6b 6f 6b 6f 40 43 49 4f 53 00 00 |waninkoko@CIOS..|Their part21 “installer” is just a standard game DVD launcher that launches it using cIOS.

Let’s look at their install DVD, shall we?

This is a standard Wii ISO. You can tell it has been fakesigned with Trucha Signer. This is evident because you can, you know, read my name and xt5’s on the signature:

502c0 00 01 00 01 a5 ce b8 bc 99 b7 e9 a0 c1 ff 14 78 |...............x|
502d0 5c 22 66 85 51 a0 44 0c 70 3e 16 34 9a 1c a6 74 |\"f.Q.D.p>.4...t|
502e0 74 47 56 46 4e 1c 56 b3 dd bc 76 f4 6b 64 ce 35 |tGVFN.V...v.kd.5|
502f0 40 72 c6 cf 53 9b 64 38 36 30 15 dc 4f 0d 6d 26 |@r..S.d860..O.m&|
50300 41 38 55 4b 67 d8 54 68 45 66 49 53 68 e9 61 78 |A8UKg.ThEfISh.ax|
50310 b1 30 c5 63 00 d9 69 de 93 d8 4f c8 69 ed 52 12 |.0.c..i...O.i.R.|
50320 96 35 28 45 48 e2 70 e2 4b 01 53 7d 53 e3 43 13 |.5(EH.p.K.S}S.C.|
50330 8b 30 77 6a 58 41 6f 6c 54 72 61 4c 61 4c 61 05 |.0wjXAolTraLaLa.|
50340 6d 64 8a 62 bd b8 53 98 b3 9c 55 df 4c 10 4e c2 |md.b..S...U.L.N.|
50350 4d 33 77 87 e0 a8 61 69 85 3b 4a 64 69 7a 37 f7 |M3w...ai.;Jdiz7.|
50360 fe 4b 84 42 d2 37 6c 48 67 c6 75 ec 45 8d 9e fd |.K.B.7lHg.u.E...|
50370 db 63 43 41 30 6a 4d 6d 42 4e 73 55 21 d5 da 32 |.cCA0jMmBNsU!..2|
50380 23 34 d2 64 f6 e3 4f 3c 43 ab 65 ec ea 1e a7 92 |#4.d..O<C.e.....|
50390 6f 68 70 54 68 49 6e 47 53 52 eb 52 96 a2 03 43 |ohpThInGSR.R...C|
503a0 8e 33 fb 73 be f8 67 72 49 6e 64 45 45 64 3f 3f |.3.s..grIndEEd??|
503b0 77 53 d8 89 28 a8 bf a4 aa e8 ef 83 ff 56 9a e3 |wS..(........V..|For fun, try finding other interesting strings

Let’s try running it through an information tool.

Game ARGO, maker NC, magic 5d1c9ea3: Argon Channel Installer
1 partitions in ISO:
[ 0] 0x0000050000 (00000000)
Wii Partition at 0x0000050000:
TMD @ 0x2c0 [0x208], Certs @ 0x4e0 [0xa00], H3 @ 0x8000, Data @ 0x20000 [0x1f0000]
ETicket:
Title ID: '\x00\x01\x00\x01ARGN'
Title key IV: 00 01 00 01 41 52 47 4e 00 00 00 00 00 00 00 00
Title key (encrypted): 21 21 41 52 47 4e 43 48 4e 4c 46 4b 4b 59 23 23
Common key index: 1
Title key (decrypted): 5a de 4a 66 32 0d c1 56 05 3e e3 64 c3 c0 d3 5b
ETicket signed by Root-CA00000001-XS00000003 using RSA-2048: d2 a8.... [FAIL]
Signature hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TMD:
Versions: 0, CA CRL 0, Signer CRL 0, System 1-21
Title ID: 00010001-4152474e ('\x00\x01\x00\x01'-'ARGN')
Title Type: 0
Group ID: 'HB'
Access Rights: 0x00000000
Title Version: 0x1
Boot Index: 0
Contents:
ID Index Type Size Hash
00000000 0 0x1 0x3e0000 aa b4 a7 dc 21 48 0d e9...
TMD signed by Root-CA00000001-CP00000004 using RSA-2048: 00 ea... [BUG]
Signature hash: 00 6f...
H4 hash check passed
Data:
Blocks: 62
Subgroups: 7 (plus 6 blocks)
Groups: 0 (plus 62 blocks)
Certificates:
- CA00000001 (RSA-2048)
Certificate signed by Root using RSA-4096: 6f 47... [OK]
- CP00000004 (RSA-2048)
Certificate signed by Root-CA00000001 using RSA-2048: 8d 4f... [OK]
- XS00000003 (RSA-2048)
Certificate signed by Root-CA00000001 using RSA-2048: d7 0a... [OK]
pywii.wii.HashError: Failed to verify data chunk 0 against H0:
expected 82254908e26f42fe903d5bcf3f95f2acfa110e4d,
got 8b7219c81d0a4e985c65edd9de2c0b943520f8c6
So their ticket is signed wrong and the data doesn’t verify. Attempting to extract it yields garbage. This means their modchip patches the Title Key to something else. Because, you know, just in case you couldn’t figure it out yourself, they tell you. Their fake key is “!!ARGNCHNLFKKY##”.

I tried all single or double byte patches in case they were using a really lame patch, but it appears they’re not that stupid. I’m currently waiting for a way of getting the Title Key, probably from someone with an Argon2. Expect an update once that happens. I can practically guarantee that their channel banner will also be stolen from a Nintendo channel, though - it looks just like all those other stolen banners, in the video (same animation). Beyond that, who knows - maybe there’s even more things to laugh about.

In short, if you want a channel that:

Is vendor locked to a modchip
Is way more annoying to install than The Homebrew Channel
Consists of a bunch of jury-rigged tools to install and was clearly made by not very competent people
Is illegal twice
Is probably illegal a couple more times
Also rips off the Twilight Hack
More to come once I get their key
Then, by all means, get the ArgonChannel. Otherwise, stay very very far away.

Bonus content: Apparently argon have never heard of fonts. Those were inside their modchip updater DOL file.
Bonus content 2: An HMAC password involved in the update process of the Argon chip is RobinsodAndWaninkoko1. Just in case anyone had any doubts that he’s involved in all this.

For more information and downloads, click here!